Managing GravityZone certificates for mobile devices after upgrade to iOS 13
Starting with iOS 13, Apple introduced new requirements for trusted security certificates, as well as limits on the validity period for these certificates. Devices that do not meet these requirements will fail to connect to network, to access websites and run certain applications.
This change likely affects most GravityZone installations configured prior to iOS 13 release, depending on how the MDM certificates were issued or configured.
This article describes what GravityZone administrators and iOS users should do to comply with the security certificate requirements from Apple.
After upgrading to iOS 13, Apple devices will stop communicating with the GravityZone Control Center if the security certificates do not meet the new Apple requirements.
Right after upgrade, in the Network section of Control Center, devices will not display any particular status icon informing there would be an issue. Only after 24 hours these devices will display the status icon "Mobile, unmanaged, no issues".
However, if you try to modify the policy or to run tasks from GravityZone Control Center, any of your actions will remain in pending state. Locally, the GravityZone Mobile Client will display a message informing the users that the policy is not active on their devices and a server synchronization is needed.
To restore communication between iOS 13 devices and GravityZone, two measures are required:
- In GravityZone Control Center, add new security certificates that meet Apple requirements.
- Reactivate all iOS devices.
Upon adding new self-signed certificates in GravityZone Control Center, Android users also need to open GravityZone Mobile Client and trust the new certificates.
As GravityZone administrator, you need create the following certificates for mobile device management:
- Communication Server Certificate
- Apple MDM Push Certificate
- iOS MDM Identity and Profile Signing Certificate
- iOS MDM Trust Chain Certificate
To create new self-signed certificates for GravityZone that meet Apple requirements, follow the updated procedure described in this KB article.
You must add the newly created certificates in the GravityZone Control Center. For the step-by-step procedure, refer to GravityZone Installation Guide.
After adding new certificates, all iOS devices from your GravityZone network must be activated again, including those running older versions than iOS 13.
If iOS users still have the current activation QR code or as GravityZone administrator you can temporarily get access to the iOS devices:
- On the iOS device, go to Settings > General > Profiles & Device Management and delete the Bitdefender MDM Enrollment Payload profile from the iOS device.
- Open GravityZone Mobile Client. The app will require to be activated upon deleting the MDM profile.
- Reactivate using the current activation QR code received by email at the previous enrollment or available from GravityZone Control Center.
For details about enrollment, refer to this KB article.
After adding new self-signed certificates in GravityZone Control Center, GravityZone Mobile Client may inform Android users about a server certificate error.
To fix this issue, Android users must trust the new certificate on their devices.